<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<link rel="stylesheet" href="../common.css">
<script src="../t.js"></script>
</head>
<body>
<pre>
1. Visit <a data-path="/viewer_csp/viewer_csp.py">viewer_csp.py</a>.
   - No scripts (inline, internal, external) should load. Confirm that no JavaScript alert is shown, and additionally see the browser console.

2. Visit <a data-path="/viewer_csp/viewer_csp2.py">viewer_csp2.py</a>.
   - Row-column 1-1: frame.html in &lt;iframe&gt; should show normally, with the embedded image resource (green square) shown correctly.
   - Row-column 1-2: frame.html in &lt;embed&gt; should be blocked for safety. (URL should be a dummy blob:)
   - Row-column 1-3: frame.html in &lt;object&gt; should be blocked for safety. (URL should be a dummy blob:)
   - Row-column 2-1: external frame.html in &lt;iframe&gt; should show normally, with the embedded image resource (green square) shown correctly.
   - Row-column 2-2: external frame.html in &lt;embed&gt; should be blocked for safety. (blocked by extension CSP)
   - Row-column 2-3: external frame.html in &lt;object&gt; should be blocked for safety. (blocked by extension CSP)
   - Row-column 3-1: image.svg in &lt;iframe&gt; should show normally, with the embedded image resource (green square) shown correctly.
   - Row-column 3-2: image.svg in &lt;embed&gt; should be blocked for safety. (URL should be a dummy blob:)
   - Row-column 3-3: image.svg in &lt;object&gt; should be blocked for safety. (URL should be a dummy blob:)
   - Row-column 4-1: external image.svg in &lt;iframe&gt; should show normally, with the embedded image resource (green square) shown correctly.
   - Row-column 4-2: external image.svg in &lt;embed&gt; should be blocked for safety. (blocked by extension CSP)
   - Row-column 4-3: external image.svg in &lt;object&gt; should be blocked for safety. (blocked by extension CSP)
   - Row-column 5-1: helloworld.swf in &lt;embed&gt; should be blocked for safety. (URL should be a dummy blob:)
   - Row-column 5-2: helloworld.swf in &lt;object&gt; should be blocked for safety. (URL should be a dummy blob:)
   - Row-column 5-3: DynamicTreeDemo.jar in &lt;applet&gt; should be blocked for safety. (URL should be a dummy blob:)
   - Row-column 6-1: external helloworld.swf in &lt;embed&gt; should be blocked for safety. (blocked by extension CSP)
   - Row-column 6-2: external helloworld.swf in &lt;object&gt; should be blocked for safety. (blocked by extension CSP)
   - Row-column 6-3: external DynamicTreeDemo.jar in &lt;applet&gt; should be blocked for safety. (blocked by extension CSP)
</pre>
</body>
</html>
